The payload that configures a smart card.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
UserPairing UserPairing If `false`, users don't get the pairing dialog, although existing pairings still work. | boolean | optional | true | ✓Yes | macOS (10.12.4+) |
allowSmartCard allowSmartCard If `false`, the system disables smart cards for logins, authorizations, and screen saver unlocking. It is still allowed for other functions, such as signing emails and accessing the web. A restart is required for a setting change to take effect. | boolean | optional | true | ✓Yes | macOS (10.12.4+) |
checkCertificateTrust checkCertificateTrust Configures the certificate trust check and has one of the following possible values:
- `0`: Turns off certificate trust check.
- `1`: Turns on certificate trust check. A standard validity check is performed but doesn't include additional revocation checks.
- `2`: Turns on certificate trust check. A soft revocation check is also performed. Until the certificate is explicitly rejected by CRL/OCSP, it's considered valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed.
- `3`: Turns on certificate trust check. A hard revocation check is also performed. Unless CRL/OCSP explicitly says "This certificate is OK," it's considered invalid. This option is the most secure. | integer | optional | 0 | ✓Yes | macOS (10.12.4+) |
oneCardPerUser oneCardPerUser If `true`, a user can pair with only one smart card, although existing pairings are allowed if already set up. | boolean | optional | false | ✓Yes | macOS (10.12.4+) |
tokenRemovalAction tokenRemovalAction If `1`, the system enables the screen saver when the smart card is removed. Available in macOS 10.13.4 and later. | integer | optional | 0 | ✓Yes | macOS (10.13.4+) |
enforceSmartCard enforceSmartCard If `true`, a user can only log in or authenticate with a smart card. Available in macOS 10.13.2 and later. | boolean | optional | false | ✓Yes | macOS (10.13.2+) |
